Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "Those hackers from team PI have released the Xbox 360 experience kiosk demo disc as an ISO. They say this demo contains no media protection and therefore it will run on the Xbox 360 when burned to a DVD-R disc. The disc contains playable demo's on the disk such as Call of Duty 2, which could also be hackable, as PI speculates."

They're out now! The January 2006 issue of OXM has a demo disk that works on both the original Xbox and the new Xbox 360. Probably possible because they both use different file extentions for the default file.

All you need is a buffer overflow in some signed code and you can jump to your unsigned-loader. There are ways around this of course, but gaming hardware cant really take that kind of speed hit on execution time.I think phantasy star online for the dreamcast was the first major buffer overflow, which persisted in the gamecube version. Then there were the memory card savegame buffer overflows, and many more.

Actually, Phantasy Star Online had a back door, not a buffer overflow. A packet that Sega called RcvProgramPatch could be sent to the client containing assembly code that the game would then execute. This allowed Sega to patch holes in the game and check for cheats, but it eventually led to the downfall of the Gamecube security system. (Dreamcast PSO had this feature as well, but Dreamcast had other security problems =) )

From what I saw on the magazine rack, OXM is already offering a disk with playable Xbox 360 demos. What is getting the hackers excitied is that the files on the demo disk are not encrypted, and they are signed to boot from seemingly any type of media. This disk can is going to be used by hackers to determine how the 360 authorizes a game to be booted and with what kind of media. They can know figure out what signals are different and produce a modchip that will allow backups to run. This is the second step in opening up the 360 to run any code. The first was figuring out the format files are laided out on the disk with, and this was cracked and reported on earlier.

Not to mention, if the disk is not signed or encrypted, it would be trivial to make the xbox run arbitrary code. It is then possible to do just about anything. Of course, it is most likely that Microsoft will fix this exploit with a software update/hardware revision.

There have been demo disks circulating for sometime (also media check free). So while these demo discs may have no media checks that doesn't mean that the executables are not signed.

As I understand it the media check basically lets the 360s hypervisor know what media the executable is allowed to run from. Demos do not have these media checks as they may be downloaded and run from the hard disk, or run from DVD.

Obviously only signed code was intended to be run on the machine, the absence of a media check does not mean the executable isn't signed. In fact anyone would be incredibly naive to think that the executables were not unsigned.

All in all I don't think we're any closer to modding the 360. This hacker group also released an Xbox 360 iso extraction tool which amounted to nothing. It turned out that any of the existing Xbox iso extraction tools could do the exact same thing. It's just alot of smoke and no fire.

Obviously only signed code was intended to be run on the machine, the absence of a media check does not mean the executable isn't signed. In fact anyone would be incredibly naive to think that the executables were not unsigned.
That should read : In fact anyone would be incredibly naive to think that the executables were not signed.

yes the executables were probably signed, but in making copies you still have a copy of the signed exe, what stops media from directly running is the media check. normally, if its not the official format, if the dummy sectors are absent and the filesystem is correct, or if its not the official media of MS, it still doesnt run the code. its traditionally a three way check. thats not the case here though. here two parts of that are missing.whats really important here, is to know that games can be run from dif

Yeah, but making [backup... right?] copies of signed programs (e.g. commercial games) is only half the battle. They need to figure out how to run unsigned code anyway, because that's what allows community-written software (e.g. Xbox Media Center) to run.

It seems Microsoft was in such a hurry to get this stuff outthat they forgot to set the media protection on this disc.This leaves hackers with the posibility to hack around withthis disc that load from a normal DVDR5 backup! - *Team Pialso notes that the all datafiles on this disc isn't signed inany way*, and will allow for extensive modification for producingexploits to further our efford to hack this box!

Data != executables. This of course still might leave some opportunity for a buffer overflow attack by modifying that data, but as the 360 actually normally runs with some memory protection (compared to the original "everything is friends down at ring 0" in the Xbox), the route into loading arbitrary code of arbitrary size may still be quite complex.

thank you, but realize that my point still stands. the xbox/should/ be looking for signed code, and/should/ NOT play any code that is NOT signed. so actually now what youre saying is that there are no parts of the threeway check present...?prob not the case here. chances are that the binaries are in fact signed and the release group jumped the gun; OR they meant that the data itself is unsigned; and the exes are the only thing signed. same as on the original xbox... which is why people were able to import

Microsoft actually supports this method of running executables - the xbox emulator update for the 360 can be installed just by downloading a default.xex from their website and burning it to a DVD. Nothing special there.

I used to be a subscriber to OXM for exactly this reason- the demo disks. I passed on, or bought, a lot of games based on the demos. It was always good to get through the hype of the previews and see what the game was actually like.

So far, I plan on relying on the downloadable demos (which are huge) to do this for me. If not enough demos are released, I guess I'll have to re-subscribe to OXM.

I believe the subscription price was like $17 per year...much better than paying $9.99 retail per issue.

Any code on the disc is digitally signed, it just doesn't care what type of media it's loaded from. Hell, Microsoft already released a burnable disc image that updates the bios firmware and system software. If they trust their security system enough to do that, then burnable game demos are probably going to be common. Why bother media protecting a demo anyway? They might as well let people copy it.

The only sliver of hope is that there is some flaw in the signed software which is exploitable by chang

microsoft has made absolutely NO attempt to deny how they are closely following their competitions strategies. to that end... if they see potential to copy a concept im sure they will. they are highly aware that the ability to easily use swap methods with the ps1 and ps2, the mod and gamesave exploits for the original xbox, and the homebrew potential of the psp are major reasons for sonys' systems to sell like hotcakes, maybe this could be an underhanded effort to get "the scene" interested in cracking the

yeah, but then again the x360 doesnt play all games via backwards compatibility either, so if microsoft is having a hard time emulationg and finding workarounds for hardware that they themseolves created, you can imagine how hard it is for blackbox emulator creators. i think that you should give them credit for getting ANYTHING to work at all, considering...

You may be correct, but the drive is still different than a PC DVD Drive. A couple years ago, I replaced the xbox dvd drive with a pc dvd drive because mine was having trouble reading disks.

The pc drive had to be flashed and the motor had to be rotated 180 degrees to get it to read originals. I remembered moving the motor, I'm sure that's where the backwards bit came from. Here are directions. [xbox-scene.com] It is not as simple as putting a disk into a pc dvd drive and hitting copy.

The motor in the xbox spins normally, just like it does for any other CD or DVD (xbox discs are ordinary DVDs). Soldering the wires in a different order is necessary because the firmware is designed for a different drive and the motor connections are in the wrong order on the replacement's PCB.

What software are you using to perform the backup. Last time I checked (well over a year ago) it still was not possible to read and copy disks without downloading files from the xbox, then using GDFIMAGE to create the ISO. You could use UDF, but the end result could be any number of bad things. If you are doing direct copies, how are you dealing with the media checks?

As I recall, it has always been possible to create a backup of a backup.

Urban Legend. Gamecube discs do not default to being read from the outside in -- depending on the game and manufacturer/producer of said game, the game's bootstrap code or loader or whatever you want to call it can be as far as 3/4 of the way to the end of the disc. But it still doesn't read from the outside in. It pops the end of the disc on boot to get the game's boot code, then hits back to the center like any other CD/DVD reading device.

To address the entire topic of this conversation, this 'achievement' doesn't mean crap. There is no *exploit* that allows this disc to boot. Whoever pressed it intentionally left off the media check -- thus allowing it to be played as downloaded from Live or on DVD. Not a big deal. It's still encrypted and signed -- the hypervisor still won't run it if a single bit has been altered.

I don't know about you, but I don't think my computer has enough spare CPU cycles in the next 100 years to crack the digital signing.

An exploit would be these people releasing the same DVD image that self-boots but has different content. But they can't. Because the 360 won't run it.

Just think about what people are inferring here. Microsoft, tremendous software goliath, pioneers new Xbox360 system that they claim is 'unhackable'. They have learned from their mistake with the Xbox and have actually taken many steps to make sure the system is as hard to hack as possible. 20 days after its release, they accidentally post an un-protected ISO on their website, allow production facilities to produce un-protected DVDs, and allow hackers to have full reign over their console.

Does this sound odd to anyone else? They wouldn't release these things if they didn't think (whether or not they're correct) that it had absolutely no gain to the hacker community. They're not going to help the hackers crack this system -- they have absolutely no gain from doing so. They lose money on each console, do you really think that's all they want you to buy? It doesn't work that way. This wouldn't have been released the way it was unless MS approved it -- there is a 99.95% chance that if they approved it, there is no way of hacking it.

I'd like to be proved wrong here, but until someone makes a DVD iso for the Xbox360 that opens up to a picture of a horse's ass and an arrow pointing to it that says 'SyncNine', I'm going to have to think I'm correct.

You still have to hand it to them, they did, after all, commence dumping the discs to ISO's a lil while ago all on their lonesome. Also they had the kindness to let us all know of the slip-up, and publish the ISO for people to play with. That said, this isn't really a flame-war I'm trying to start. I don't even HAVE a penis:D

This is a eunuchs site after all, if you pardon the misspelling... and with the evil proprietary eunuchs systems, it's time someone started developing a free clone.. we could call it Girls Not Eunuchs or something.

The executables as still signed. It is common for supporting data files to be un-signed. The executable usually does a hash check on its datafiles to make sure they haven't been messed with. It seems like everyone jumps on every little thing about the inner workings of the XBox 360 as a major exploit. The sensationalism is just getting boring.

The executables as still signed. It is common for supporting data files to be un-signed. The executable usually does a hash check on its datafiles to make sure they haven't been messed with.

All it takes is one buffer overflow in an executable reading a corrupted data file (which will probably be verified with something less than MD5), and this could be turned into a "boot key" allowing the loading of arbitrary code... at least until Microsoft uploads a patch to everybody locking out the executable if you d

Creating a boot disc is the first step into a much larger world. Thus is was with the Dreamcast, so it appears to be with the Xbox. The major difference is the fact that the Xbox' BIOS is malleable at MS's whim so even if an exploit works for a while, there are certainly no guarantees with a software solution like this.

You are not supposed to be able to rip *any* 360 game and play it off a burt DVD

The fact that you can do this means with this demo DVD means that all any group has to do is figure out *why* this is (what the relevant section of bytes is), rip out the needed bytes, and use it to bootstrap the 360 to run any burnt game or app they please.

The media protection and signing are very different things. The executables are still signed and from that cannot be modified. However, they can be played on a variety of media, burnable media included. The files themselves, to my knowledge, are not signed or checked. That would open the door for simple map mods or similar as seen with the Halo series. As for code execution, not likely. The hypervisor as well as other checks are in place to prevent the most common forms of attack. It would take some clever

MS doesnt make their money just out of selling games (and I seriously doubt they LOSE money on each Console sale as they claim) they make a lot of money out of selling XDK's and licenses to publishers, the more people owning the console, the more publishers will want to port their games to it. Piracy and hacking is a surefire way to make the console available to those who cant afford or are unwilling to buy the games at their current price (not just in America but worldwide) besides they CANT clone the console just the games themselves so they have to buy the console anyway and MS knows that, thats why they have never been too severe with piracy or hacking (contrary to sony who is basically sinking PSP by doing the oposite.. and not releasing too many games either), do you actually believe they havent noticed there are groups doing great dashes and even homebrew games on their console using warezed xdks? entire companies dedicated to mod chips?

Do you think is just a big coincidence they released UNPROTECTED demos and games, which can easily be compared to PROTECTED ones by pro hackers?

They are not stupid you know? (at least not that stupid)

Yet IMO it would suck to own a modded or hacked xbox 360 since you wouldnt be able to log to xbox live which is a big part of the 360 deal.

Bullshit. This is how every console manufacturer makes money. Sure, they make some money by licensing developers, but the amount of money the games industry makes is not being paid for by SDKs and such. Even if it was, the developers would have to offset this by the income they make from games. This would mean that the console makers would, transitively, be making money from selling games, not developer kits. And if your groundless assertion was corre

Look guys, I dont want to start a conspiracy theory, this is just my opinion. I just think is too much of a coincidence, but It could be just about anything (simple incompetence or PR policies perhaps).
And about the Xbox price, a huge company like MS cant get good prices in buying hardware in large scale sales and therefore have to sell at a loss? Sorry but I wont buy that for a second. Believing MS PR reports? yeah right! They are still claiming the xmas shortage was just a lucky misunderstanding!
"Seri

MS doesnt make their money just out of selling games (and I seriously doubt they LOSE money on each Console sale as they claim)

People really don't understand this well at all. Developing the Xbox required a very large up front investment. To justify the investment, Microsoft will analyze how much they expect to sell, and amortize that cost over the consoles and games.

Clearly, there business model is such that if they only sold consoles, and not games, they would not recoop their costs. This makes sense b

I just changed one digit with a hex editor and re-burned the iso. The change was in Call of Duty. It no longer plays. The other demo's play just fine. No error message, it just locks up with a blank screen.

If you try the 360's demo downloading capability, you know that it can run downloaded content. I haven't sniffed the data stream myself, but encrypted connections slow servers down quite a bit and it's doubtful that xbox live servers even use them for content download on the order of a 500MB demo. Those binaries are signed just like the demos on the discs which can be burned. By signing the binaries, they don't need to worry about how the code got on the xbox. DVD-R, download, remove hard drive->write binary->reinstall hard drive, iPod, it doesn't matter a bit. If it doesn't execute binaries that aren't signed by microsoft's private key, it doesn't matter how you give it the binary, it won't run it. This is a non-story. Unless someone steals or or breaks microsoft's private key, this is gonna need a hardware hack at minimum.

To reiterate what others have said, the executables are still signed AND demo discs with no media checks have been around for months. So that rules out modifying the executables.

As far as gamesave exploits and the like...On the original Xbox, gamesaves were signed, but they used a key stored in plaintext in the executable. Meaning if you found a way to crash the game and run your code, it was trivial to get the game to accept it. I suspect on the Xbox 360 the key will be secret.

Secondly, games on the Xbox run in kernel mode. I suspect this is NOT be the case on the Xbox 360.

The Xbox 360 does not use an off-the-shelf CPU. Microsoft licensed it and built its own. The original Xbox was first hacked because it used an off-the-shelf Mobile Celeron and thus its secret information had to be built into the Xbox-specific southbridge and travel down the HyperTransport, which could be sniffed. Since the Xbox 360 used an MS-made CPU, I would wager that the key is on the CPU itself.

If we presume that gamesaves are signed with a secret key in the CPU, and applications do not run in kernel mode, we can rule out gamesave exploits in addition to executable modifications.

In short, this "news" is pointless. MS ship an executable with a few different bits allowing DVD-R playback and people suddenly think that we have a new Dreamcast on our hands. The disc will undoubtedly be subject to much scrutiny, but we're not really any closer to hacking the Xbox 360.

People here talking about the executable still being signed and thus not hackable are terribly missing the point.

Team Pi notes that the DATA FILES are not protected. That means that content can be changed and thus the signed executable could be hijacked into loading unsigned code.

This is nothing new. It's exactly what happened in the old Xbox and the game 007: Agent Under Fire. Someone hacked a savefile, which exploited a buffer overrun on the PERFECTLY SIGNED executable from the game and enabled unsigned code (Linux, or a backup game if that's your intention) to run WITHOUT ANY MODCHIP.

You just need a Memory Card to load the hacked savefile from, and the original, signed, protected game.

Team Pi is suggesting that the same idea is possible here, and that's the reason why this ISO is being distributed.

And this is where the online capabilities become a mixed blessing. Just as users can download media, MS may be able to sneak in a DRM-esque update without the users knowing it. I'd be suprised if that didn't happen, in fact.

How's that any less significant than Sony rootkitting a business-class operating system? Liability to consumers versus liability to Big Business would be much less, plus on a controlled environment such as console, MS could update and wipe it clean.

I think the big question is why hasn't MS done as much as make a statement about Sony's ploy and how it affects security of machines that have access to "secure" information...

The DMCA makes it illegal to circumvwent the protection. Copyright infringement is still illegal on top of that. Creating/using DeCSS violates the DMCA, but copying the DVD is copyright infringment. The DMCA is "evil", but just because people don't protect something technologically doesn't mean you should have the right to copy it willy nilly.

"but just because people don't protect something technologically doesn't mean you should have the right to copy it willy nilly."

If I buy a game, I should have the right to make a backup so I don't worry about the original being scratched. I don't really have that option right now, so I watch in horror as my son just casually tosses around $50 game disks.

This is quite true. However, Xboxes are cheap, and the modification is really easy for 1.1, 1.2, and 1.3-version Xboxes. You don't even have to solder anything, you can use a conductive pen. You could alternatively install a clip-on modchip, which leaves no traces of the modification if uninstalled, save for the opening of the case which is irrelevant for Xboxes in the US past something like 90 days (was it 60?) since the warranty is so damned short. Unless you buy the extended warranty, anyway, which is ba

Actually, it isn't. You can make a copy of a non-DRMed work of intellectual property for personal use, assuming of course you have the means to do so. Note that distributing it to other people over the net isn't considered 'personal use'.

First, IANAL. That saidThe DMCA makes it illegal to circumvwent the protection.

There is an exception for compatibility. For example Asterisk PBX has a reverse engineered Skinny protocol, this is ok because it is done for compatibility. If this boot loader is used for running custom code on a personal x-box this would not be illegal even under the DMCA.

Copyright infringement is still illegal on top of that. Creating/using DeCSS violates the DMCA, but copying the DVD is copyright infringment.

No, it just allows you the fair use you were originally granted before the DMCA was put in. Copyright law still applies to everything you get, it's just that unlike making a backup of a CSS protected Video DVD, you can make a backup of this unprotected demo disk beucase you didn't have to break encryption.

However, becuase of the very nature of this disk (restricted kiosk) it is unlikely that 99% of people will be able to make backup copies of it under fair use.

Sure, just like if someone does not lock up their valuables you're free to take all you want.

In reality, if your insurance company finds out you didn't lock your doors or take precautions against theft, they won't write you a check for your loss.

If I could break a rule here about analogies, if I make a juicy delicious steak and and put it out on my table and I leave my door open and my neighbors dog comes in and eats it... Who can I blame for my lost steak?

In clearer words: Yes, it's still illegal to copy [almost all] ISOs, but since Microsoft knew how heavily the original Xbox was cracked, if they made a way for the Xbox 360 to boot from a DVD-R, then they don't have anyone to blame if people use this to hack the Xbox.The dog was still wrong for eating your food, but that's what dogs do, so you should have "played hide the salami" (as Howard Dean would put it). The crackers were still wrong for trading warez, but that's what crackers do, so you should've put

Given that it's possible to boot from a DVD-R, I would fully expect the system to be as follows:

The 360 checks the media type (hard drive, DVD, whatever), and also the executable. The executable contains bits specifying what types of media it can run from. Since it's signed, it isn't feasible to modify those bits - until someone cracks the DRM scheme, of course.

This allows companies to release freely distributable (but still signed) demos, while the full game can still only be run from the original disk

You hit the nail on the head. This is exactly how the orginal Xbox was. The only issue is that only Microsoft has the key to sign executables on retail machines. Developers have their own keys that will only sign the files for running on the debug units. So if you're a developer and you make a demo, you have to have Microsoft sign the executable for people to play it on their normal 360s.

The article does not say anything about anything being unsigned - just that the media protection check is not present on the disc so it doesn't matter if the contents are on a pressed DVD, DVD-R or the HD. The code on the disc is still signed so any change to the executable would invalidate the signature and stop the code from running. That's why corngood puts boxxa's incorrect post down to a lack of comprehension and not a failure to RTFA.

It seems Microsoft was in such a hurry to get this stuff outthat they forgot to set the media protection on this disc.This leaves hackers with the posibility to hack around withthis disc that load from a normal DVDR5 backup! - *Team Pialso notes that the all datafiles on this disc isn't signed inany way*, and will allow for extensive modification for producingexploits to further our efford to hack this box!

You're right that there is unsigned content on the disc (presumably), but that troll who started this thread said:

it now shows that there is a way to load and boot non signed dvds which will enable custom code and eventually softmodding

It doesn't show anything of the sort. It shows that demos are not likely to require a media check, so you can freely copy and run them. It's no different than the system update CD they officially released without a media check.